Adware infection , not resolved by any AV/AM tool

[Vijayvithal]

For more than a month now, my laptop is infected with a browser popup malware which activates whenever I am on a news website. and launches a website asking me to download some tool bars/flash upgrades/security upgrades/privacy tools etc.

I downloaded and installed Malwarebytes and ran a scan, while it was not able to detect the malware, the realtime scanner did detect the popup's and blocked them

I also ran JRT and adwcleaner but both the tools failed to remove the infection.

The logs of FRST are attached for reference.

FRST.txt

Addition.txt

[Valinorum]

Can you please attach the logs from AdwCleaner, JRT, and MBAM? 

[Vijayvithal]

I have attached all the log files.

Note I have attached two log files for MBAM The scan log and the real time protection, outbound connection blocking log.

I have also attached the MBAR log

AdwCleaner[C0].txt

AdwCleaner[S0].txt

AdwCleaner[S1].txt

mbar-log-2017-05-22 (16-57-36).txt

mbam-outbound.txt

mbam-scan.txt

JRT.txt

[Valinorum]

I have notices that you have more than one anti-virus installed in your system. Well, this is one of the situations where more is not merrier. They tend to create conflict with each other and their different pattern on your system protection can deteriorate your system performance.
I have listed the anti-virus(es) you have in your system.

• adaware antivirus
• Kaspersky Total Security
• Spybot - Search and Destroy (Keep it disabled while we are working on your computer)
  

Please, keep only one. I recommend Kaspersky Total Security.

• Step #1 Fix with FRST
  Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
  •  
  • Open Notepad.exe. Do not use any other text editor software;
  • Copy and Paste the contents inside the code-box to your Notepad --
    

    Start
    CreateRestorePoint:
    CloseProcesses:
    EmptyTemp:
    Task: {982B1C29-C727-4906-B5C7-B1C1FC06EF3F} - \{888E2C9F-917E-4C68-9BD8-38D5CF9D6D02} -> No File <==== ATTENTION
    HKLM\...\Run: [ACMON] => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe********************************************* [107192 2012-09-12] ()
    GroupPolicy: Restriction <======= ATTENTION
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
    CHR HKLM\...\Chrome\Extension: [fhoibnponjcgjgcnfacekaijdbbplhib] - hxxps://chrome.google.com/webstore/detail/fhoibnponjcgjgcnfacekaijdbbplhib
    CHR HKLM-x32\...\Chrome\Extension: [fhoibnponjcgjgcnfacekaijdbbplhib] - hxxps://chrome.google.com/webstore/detail/fhoibnponjcgjgcnfacekaijdbbplhib
    End

  • Click on File > Save as...
    
    • Inside the File Name box type fixlist.txt;
    • From the Save as type drop down list, choose All Files
  • Save the file to your Desktop;
  • Re-run FRST.exe and click Fix;
    
    • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
  • After the completion, a log will be produced;
  • Copy and Paste the contents of the log in your next reply.

---

Reset your browsers to their default settings.

• Required Log(s):
  
  • FRST Fix Log
    

Regards,
Valinorum
 

[Vijayvithal]

Fixlog.txt attached.

As advised, I have disabled/uninstalled all other AV tools and am running Kaspersky only.

Regards

Vijay

Fixlog.txt

[Valinorum]

How is the system performing?

[Vijayvithal]

I am still seeing the popup's

Immediately after running the fix above and resetting the browser for a few hours it looked like the problem was resolved. But after that the popup's restarted.

[Valinorum]

Does it happen for a particular website or every website? Can you give me a screenshot of the pop-ups?

[Vijayvithal]

A few days back, using wireshark I tried to trace the websites used by the malware to load its advertisement and traced the following

 

While viewing http://www.catchnews.com/india-news/jean-dreze-writes-letter-about-his-partner-bela-bhatia-1459103212.html

A request was made to

1. http://engine.spotscenered.info/link.engine?guid=edfc8266-ad5d-4135-8e8c-bf220f334f44&Hardlink=true&time=0&keyw=%5B%22jean%22%2C%22dreze%22%2C%22writes%22%2C%22letter%22%2C%22about%22%2C%22his%22%2C%22partner%]
2. Which then redirected to  http://engine.spotscenered.info/Redirect.eng?MediaSegmentId=30278&dcid=1_ctx_eb497f0e-14c9-48d3-96bd-0d1367f65b64&vmId=00000000-0000-0000-0000-000000000000&abr=false&timeZoneOffset=&v=WKZjqU3pCCXI2HVrbwhh6RLJm]
3. Which then responded with <h2>Object moved to <a href="http://ap9ng.3sn.xyz/?noaudio=1&amp;noalert=1&amp;noexit=1&amp;kw=5941&amp;s2=54b87eaa-7d94-4245-9b5c-120a24d08f7e">here</a>.</h2>\r\n
4. Which in turn requested  <html><body><form id="rform" action="http://Ji4zz.exclusiverewards.keke.gdn/?sov=738369362&hid=bnjfpbnfjdnfbjl&noaudio=1&noalert=1&noexit=1&noaudio=1&noalert=1&noexit=1&redid=37806&gsid=68&campaign_id=29&p_id=8122&id=XNSX.%3A%3
5. Which then send out a bunch of requests to load the css+js+images etc.

Currently I am seeing the following

[Vijayvithal]

I see these popup mostly while browsing news website like huffingtonpost, indiatimes, indianexpress etc.

The image of recent popup is attached.

 

Regards

Vijay

[Valinorum]

Please post a fresh set of FRST scan log. 

[Vijayvithal]

Recent logs attached.

Regards

Vijay

FRST.txt

Addition.txt

[Valinorum]

Does this happen with every browser or just Firefox?

[Vijayvithal]

Happens with all 3 browsers that I have used.

I was exclusively using chrome till last month. once this problem started I shifted to Opera and firefox I have seen the problem with both. I have not tested the behavior with IE.

Note:

1. After my previous message I started seeing 404 error pages instead of the advertisements on the popup pages, for a day, after which the issue with popup's restarted with toponclick.com being used for loading the popups.
2. I am currently suspecting that the issue occurs only with http domains and not with https urls. I am observing the urls which trigger the issue to confirm/reject this theory.

[Valinorum]

Hi,

Can you uninstall Spybot - Search and Destroy (for now) and disable Kaspersky Total Security while running the fixes? I just want to make sure that we do not face interruption from the security softwares.

Please uninstall BitTorrent as well. 

• Step #1 Fix with FRST
  Make sure that you still have FRST.exe on your Desktop. If you do not have it, download the suitable version from here to your Desktop.
  •  
  • Open Notepad.exe. Do not use any other text editor software;
  • Copy and Paste the contents inside the code-box to your Notepad --
    

    Start
    CreateRestorePoint:
    CloseProcesses:
    EmptyTemp:
    HKU\S-1-5-21-3717132581-3056233599-1906249280-1002\...\ChromeHTML: ->  <==== ATTENTION
    AlternateDataStreams: C:\Users\soumya\Downloads\adwcleaner_6.047.exe:BDU [0]
    AlternateDataStreams: C:\Users\soumya\Downloads\FSS.exe:BDU [0]
    AlternateDataStreams: C:\Users\soumya\Downloads\JRT.exe:BDU [0]
    AlternateDataStreams: C:\Users\soumya\Downloads\mbar-1.09.3.1001.exe:BDU [0]
    AlternateDataStreams: C:\Users\soumya\Downloads\MiniToolBox.exe:BDU [0]
    AlternateDataStreams: C:\Users\soumya\Downloads\SecurityCheck.exe:BDU [0]
    HKU\S-1-5-21-3717132581-3056233599-1906249280-1001\...\MountPoints2: {102fed67-05b9-11e7-bf1e-50465d440052} - "F:\Lenovo_Suite.exe" 
    HKU\S-1-5-21-3717132581-3056233599-1906249280-1001\...\MountPoints2: {102fed72-05b9-11e7-bf1e-50465d440052} - "F:\Lenovo_Suite.exe" 
    HKU\S-1-5-21-3717132581-3056233599-1906249280-1001\...\MountPoints2: {d8b15b8e-e531-11e5-bee5-50465d440052} - "F:\autorun.exe" 
    SearchScopes: HKU\S-1-5-21-3717132581-3056233599-1906249280-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    2012-11-23 16:16 - 2012-09-07 17:10 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
    2012-11-23 16:16 - 2009-07-22 15:34 - 0024576 _____ () C:\ProgramData\SetStretch.exe
    2012-11-23 16:16 - 2012-09-07 17:07 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
    CMD: ipconfig /flushdsn
    Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
    End

  • Click on File > Save as...
    
    • Inside the File Name box type fixlist.txt;
    • From the Save as type drop down list, choose All Files
  • Save the file to your Desktop;
  • Re-run FRST.exe and click Fix;
    
    • Note: If FRST advises there is a new updated version to be downloaded, do so/allow this.
  • After the completion, a log will be produced;
  • Copy and Paste the contents of the log in your next reply.

---

• Step #2 ESET Online Scanner
  Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information. 
  
  • Download esetsmartinstaller_enu.exe by clicking here.
  • Right-click on the program and choose Run as administrator.
  • Accept their terms and condition and proceed.
  • Install Add-On/Active X if prompted.
  • From the Computer Scan Setting check the following box --
    
    • Enable detection for potentially unwanted programs
  • Click on Advanced Setting --
    
    • Check the box beside Remove Found Threats;
    • Check the box beside Scan archives
    • Check the box beside Scan for potentially unsafe applications
    • Check the box beside Enable Anti-Stealth Technology
  • Click on Start and wait for the virus signature database to update.
  • The online scan will begin automatically and can take several hours.
    
    • Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
  • After the Scan finishes --
    
    • If no threats were found:
      
      • Put a checkmark in Uninstall application on close.
      • Close the program and report that nothing was found
    • If threats were found:
      
      • Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
      • Copy and Paste contents of the log file in your next reply.
  
  Note: Enable your security programs afterwards.

---

[Vijayvithal]

FRST and ESET Logs attached.

I have uninstalled spybot and bittorrent, and disabled the AV before running the scan.

The AV reported adwares at the following location

C:\Users\soumya\AppData\Roaming\BitTorrent\updates\7.9.0_30659.exe    a variant of Win32/AdkDLLWrapper.A potentially unwanted application    cleaned by deleting
C:\Users\soumya\Downloads\Backup\BitTorrent.exe    a variant of Win32/AdkDLLWrapper.A potentially unwanted application    cleaned by deleting
C:\Users\soumya\Downloads\installers\ccsetup519.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    cleaned by deleting
D:\Downloads\Backup\BitTorrent.exe    a variant of Win32/AdkDLLWrapper.A potentially unwanted application    cleaned by deleting
D:\Downloads\Backup\cbsidlm-cbsi188-Convert_XPS_to_PDF_Free-SEO-75914482.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    cleaned by deleting
D:\Downloads\installers\ccsetup519.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    cleaned by deleting

Regards

Vijay
 

log.txt

Fixlog.txt

[Valinorum]

Now reinstall the browsers and if you are connected via a router, reset the router. Tell, me how it went. 

[Vijayvithal]

Was it a typo? did you mean  reset the browser? or do I have to uninstall the browsers and reinstall them?
Regards

Vijay

[Valinorum]

After a router reset, try resetting the browsers. If it does not solve, try reinstalling. 

[Vijayvithal]

Regretfully the router reset and resetting the browsers did not help.

I am moving on to the next step of removing all browsers and reinstalling them.

 

Regards

Vijay

[Vijayvithal]

1. I removed Chrome, Opera and Firefox.
2. I then downloaded and installed firefox using IE.
3. Opened up an article on huffingtonpost on both IE and Firefox
4. Waited for some time and clicked on the blank page margin
5. A popup was launched for both Firefox and IE.

Regards

Vijay

[Valinorum]

Hi, 

 

Please, bear with me as I tend to find the root of your issue. Can you save your bookmarks and turn of browser synchronization (remove the users logged in)? Afterward uninstall the browsers. Delete the following folders: 

Quote

 

%APPDATA%\Mozilla\Firefox\

 C:\Users\<username>\AppData\Local\Google\Chrome\User Data

%PROGRAMFILES%\Opera

 

 

Reinstall them. Do not add accounts or turn on synchronization. Test. 

 

[Vijayvithal]

I removed all browsers except IE. Spent a day using IE only. The problem still exists.

I also tried monitoring processes using Sysinternals (tcpview and procmon) did not see any suspicious process names ...

I have reinstalled Firefox now. and am trying it out.
 

 

[Valinorum]

Tell me how it went.

[Vijayvithal]

Still having the same problem

I did the following.

1. uninstalled firefox + Chrome + Opera.
2. Deleted the corresponding App data folders.
3. Ran Ccleaner Registry check to delete leftover references in the registry

Reinstalled firefox, browsed a few websites and got the popup after some time....

PS: I am ignoring the message by Alex as it seems irrelevant to the issue we are trying to resolve.